Main Vulnerability Database SB2020051311

SB2020051311 - Information Disclosure in Doorkeeper for Ruby on Rails and Grape

Published: May 13, 2020

Security Bulletin ID SB2020051311

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2020-10187)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can retrieve the client secret only intended for the OAuth application owner.

Remediation

Install update from vendor's website.

References

https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6
https://github.com/doorkeeper-gem/doorkeeper/releases
https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-j7vx-8mqj-cqp9
https://github.com/rubysec/ruby-advisory-db/pull/446